Implementing entity-level controls will reduce fraud and errors in church management.
By Daniel J. Whelan
As church congregations and budgets grow, the potential exposure to fraud and other illicit behavior grows as well. Larger churches would be well served to consider steps that other nonprofit entities have taken to tighten their internal control environments.
While public companies have focused on assessing the effectiveness of their entity-level controls (otherwise known as the “tone at the top”) since the adoption of the Sarbanes-Oxley Act of 2002 (SOX), many nonprofit organizations have been slow to leverage these controls to prevent fraud and better manage their total risk.
Preventing fraud and errors
The concept of entity-level controls is to determine whether an organization’s values, systems, policies, procedures and processes would prevent fraud and errors. Unlike controls focused on the financial reporting process that primarily affect accounting and finance employees, entity-level controls affect all employees in an organization. Although most of SOX does not apply to nonprofits, progressive organizations are adopting some of its best-practice concepts in order to benefit by better leveraging entity-level controls.
When we talk about internal controls, it is important to begin with a framework from which to operate. The primary purpose of such a framework is to prevent and detect errors and fraud. If we keep this in mind, then having strong entity-level controls should be an important focus of any organization. The most common framework comes from COSO (Commission on the Sponsoring Organizations of the Treadway Commission). The five elements of the COSO Internal Controls-Integrated Framework are as follows:
- Control environment
- Risk assessment (including the assessment of fraud)
Information and communication
Control activities (the key controls)
The control environment of an organization is the first building block in setting appropriate and effective entity-level controls and providing discipline and structure. The objective is to establish and promote a collective attitude toward achieving effective internal control and to ensure a solid foundation from which to build its business processes. It also provides a measurement to gauge appropriate behavior.
Code of conduct
Creating an organization that values integrity and ethical behavior sets the tone that is the foundation of effective entity-wide controls. Churches can take inspiration from various best practice ideas that have evolved in the for-profit world.
Your church should publish a code of conduct or code of ethics that is reviewed by new hires and signed by all employees during orientation and reviewed on an annual basis. Be sure employees understand the consequences of violating the code of conduct, such as suspension or potential termination.
Ethics policies and enforcement should be formally documented to avoid any misinterpretations concerning expected behavior. These policies should also clearly communicate that fraud will not be tolerated, further emphasizing integrity and ethical behavior as core values of the organization.
The majority of the fraud issues related to Enron, MCI, and others were a direct result of management overrides. The code of conduct should specify that management overrides of internal controls are prohibited and specific controls such as a whistleblower policy should be put in place to monitor and report this activity.
The right people
Hiring and retaining competent employees is another important element of a successful control environment. Management should invest in educating and training their staff so that they can properly fulfill their job responsibilities. Training policies should be documented in writing and these costs should be built into your annual budget.
Audit or finance committees bear responsibility for establishing and maintaining internal controls in an organization. If your church has an audit or finance committee, write a charter that outlines the roles and responsibilities of the committee and its members and provides guidance to help it operate effectively. The committee should be authorized to hire the external audit firm (if your church has an annual audit), and the auditors should report directly to the committee. All non-audit services should be approved in advance by the committee to thwart any independence issues (including independence “in appearance”).
Under SOX, public companies are required to include a “financial expert” on the audit committee. While this is not a requirement for nonprofit organizations, it is considered a best practice to include at least one audit committee member or board member who understands nonprofit accounting, especially since nonprofit financial statements can be extremely complex. Additionally, the committee should issue written agendas and publish minutes from their meetings to maintain a record of issues, discussions and decisions.
Effective internal controls
The structure of your church should be designed to facilitate sound internal controls. You should first identify the areas where issues related to segregation of duties may exist. Next, determine potential alternatives to resolving this conflict. Can the function be effectively outsourced? If the answer is no, determine whether reliable compensatory or mitigating controls can be implemented.
The organizational structure should also address who will serve in a backup capacity if someone is out of the office. To the extent that the backup role triggers complications related to segregation of duties, you should focus on compensatory controls to mitigate the risk associated with these issues. If an employee who is authorized to approve transactions is out on a regular basis, this authority should be designated to the appropriate alternate employee and documented in the policies and procedures. These are simple steps that can have a profound impact on your organization.
Other examples of entity-level controls include establishing polices and procedures that are accessible to all employees and performing background checks for all new employees, or at least all accounting and finance employees and those that may handle cash.
Writing job descriptions that outline roles and responsibilities for all positions is important, as well as implementing a proper and timely financial closing process with appropriate segregation of duties, including the review of key performance indicators by management as an effective monitoring control.
Create and implement standards
Establishing an independent audit or finance committee if one does not exist is essential for churches. It’s also necessary to develop disaster-recovery and business-continuity plans and monitor personnel turnover, track reasons for departure, in order to determine whether fraud is playing a role. Creating and enforcing standards for hiring the most qualified individuals should be a key component for churches, and recruiting practices should include formal, in-depth interviews and informative, insightful presentations on the church’s history, culture and operating style. Evaluating and reviewing job performance periodically with each employee should be standard practice.
Executive directors, chief financial officers and controllers’ firsthand knowledge of the church’s day-to-day activities can also be leveraged as an entity-level control. Assuming management is applying a skeptical perspective and asking probing questions, they may be in the best position possible to identify potential errors or fraud. Leverage your intimate knowledge of your church for productive results.
Churches should look at analytical tools currently used by management to determine whether they might also serve as an entity-level control. Then, consider the cost versus the benefit of enhancing a control to make it more precise and predictable.
Entity-level controls are pervasive and apply to all employees of a church, serving as the standard by which all other behavior is measured. As a result, your church can gain a significant advantage in reducing errors and fraud by better leveraging effective entity-level controls.
Daniel J. Whelan is a managing director with RSM McGladrey and leads the risk management practice in the Mid-Atlantic region. [rsmmcgladrey.com]